84
35
Some ports generate an error (ERR_UNSAFE_PORT) when browsing to them via Chrome (see this related question). Which ports are considered safe, and which are unsafe by default?
ripper234
Posted 2010-09-13T12:36:42.650
Reputation: 9 293
Which ports are considered unsafe by Chrome?
Answers
127
The following is a list of all of the restricted ports on Chrome:
1, // tcpmux
7, // echo
9, // discard
11, // systat
13, // daytime
15, // netstat
17, // qotd
19, // chargen
20, // ftp data
21, // ftp access
22, // ssh
23, // telnet
25, // smtp
37, // time
42, // name
43, // nicname
53, // domain
77, // priv-rjs
79, // finger
87, // ttylink
95, // supdup
101, // hostriame
102, // iso-tsap
103, // gppitnp
104, // acr-nema
109, // pop2
110, // pop3
111, // sunrpc
113, // auth
115, // sftp
117, // uucp-path
119, // nntp
123, // NTP
135, // loc-srv /epmap
139, // netbios
143, // imap2
179, // BGP
389, // ldap
427, // SLP (Also used by Apple Filing Protocol)
465, // smtp+ssl
512, // print / exec
513, // login
514, // shell
515, // printer
526, // tempo
530, // courier
531, // chat
532, // netnews
540, // uucp
548, // AFP (Apple Filing Protocol)
556, // remotefs
563, // nntp+ssl
587, // stmp?
601, // ??
636, // ldap+ssl
993, // ldap+ssl
995, // pop3+ssl
2049, // nfs
3659, // apple-sasl / PasswordServer
4045, // lockd
6000, // X11
6665, // Alternate IRC [Apple addition]
6666, // Alternate IRC [Apple addition]
6667, // Standard IRC [Apple addition]
6668, // Alternate IRC [Apple addition]
6669, // Alternate IRC [Apple addition]
6697, // IRC + TLS
Source: Chrome source.
heavyd
Posted 2010-09-13T12:36:42.650
Reputation: 54 755
31
The reason it's called unsafe is not because it's unsafe to Chrome, it's because it's unsafe to those services, where an attacker may try to use Chrome as a proxy to attacking services on those ports. More explanation here:
http://jazzy.id.au/default/2012/08/23/why_does_chrome_consider_some_ports_unsafe.html
James Roper
Posted 2010-09-13T12:36:42.650
Reputation: 599
1
by default web services normally run on port 80 and SSL encrypted traffic runs on port 443 so these should be "safe" ports. This is typically known as "default ports" or "well known ports". "safe" seems to be a chrome-ism :)
"safe" is a bit meaningless though. If it runs on anouther port its more likely to be dodgy traffic, but just because its on port 80 dosent mean it wont install malware and etc on your pc.
Sirex
Posted 2010-09-13T12:36:42.650
Reputation: 10 321
@Sirex By the way, is it about the port number or the connection scheme being used? For example if a URL is like: https://<domain_name>:20/<path_name> there is no reason to worry right? Because it specifies a secure connection scheme. Although it is on the FTP port (an unsafe considered port), if the port doesn't run https, then there won't be any connection after all right? So is it about the port number or the connection scheme? (By the way, I am not trying to be a smart-ass. I am trying to understand what is safe and what is not and why) – Utku – 2015-11-05T14:39:29.477
Usually, though its possible for a ssl encrypted site to install malware on your pc, the https just means it'll do so securely. It's not a designation of the traffic being safe. It's a designation of the traffic being secure. It could also be an invalid ssl certificate, but that'll give warnings in your browser. The short answer is nothing is truly safe, unless you know the sender of the information, and know the channel is private. – Sirex – 2015-11-05T19:05:58.800
1There's no reason why traffic on non-default ports would be dodgy. For example non-default ports are used on unix machines where the web server is administered completely independently from the local administrator (unix restricts servers on ports <1024 to the system administrator). Such setups are very rare nowadays because the economic conditions of web hosting have changed, but there's nothing illegitimate about them. – Gilles 'SO- stop being evil' – 2010-09-13T18:16:06.883
3the above is true, but im not going to be clicking any urls that specify a port number. – Sirex – 2010-09-13T22:06:54.980
In the age of webservices this is absolutely false. Even in 2010, the default ports for web application servers like Tomcat or Unicorn was 8080 or 8443. Unix restricts ports < 1024 to running as root and nobody in 2010 would be running web application servers (apache http is special since it knows how to su to a non-privileged user after starting master process as root) on port 80 or 443. – cowbert – 2018-02-13T00:05:47.863
i don't get what you're trying to convey, or whatever you were trying to convey hasn't been done so well. – Sirex – 2018-02-13T01:52:55.603
Thanks, this was very helpful in figuring out why my ZNC server didn't appear to be working properly – Hamy – 2014-06-29T05:23:12.460
as of 2017, 65535 is also considered "unsafe". I have no idea why err_unsafe_ports applies to requests to
localhost(clearly requests to localhost should mean I am a developer or I am otherwise purposefully proxying requests via localhost). – cowbert – 2018-02-13T00:00:34.013@cowbert your assumption is invalid. It could be an XSS or malicious website making requests to localhost. – cytinus – 2019-01-30T17:36:39.140
6697 is also a restricted port. There are definitely additional ones not listed in this segment of the source code. Someone who knows more about this should add to this answer. – AndrewF – 2019-03-18T23:49:18.263
I have found and linked the latest source code, which has added 6697, and I added details about 21 over ftp://. Edit is pending review. Note also (@cowbert) that port 65535 is no longer marked as unsafe.
– AndrewF – 2019-03-19T00:04:53.48019
And the Mozilla Firefox Unsafe Portslist for good measure: http://www-archive.mozilla.org/projects/netlib/PortBanning.html#portlist
– CoolAJ86 – 2012-06-28T21:37:53.050